Web Form Bruteforcing for Web Applications.

This would be yet another post on how to conduct a web form bruteforce attack on a web application using GET method rather than a ‘POST’ request since the application supports ‘GET’ based requests only. This series of research papers on exploitation of targeted web application set up for vulnerability analysis is a series which is conducted for ‘testing’ purposes and for ‘training’.

What’s different with the research?

I have personally went over and deduced ‘several’ ways and just not ‘one’ way to tackle with the web application as a target. This first post and the paper itself will deliver the ‘attack’ using different methods rather than ‘stick’ to one particular method of exploitation. It’s not open to everyone and these papers are being kept private for reasons. Howsoever, this first paper will be public.

What’s not included in the paper?

I have restricted adding additional yet ‘another’ method in the paper for the public domain. This is done to keep the presentation limited to four methods. There are 5 or more possible methods of conducting the same exploitation on the target.

Sample Images of the paper?

Here are some sample images taken from the papers:

Sample1

Sample 2

Sample 3

What are some of the methods explained?

Some of the methods explained to bruteforce web form login for targeted web applications includes:

Exploitation via crunch password and username generated files

Exploitation using burp suite Intruder

Exploitation using python script for automation

Exploitation using Webslayer by feeding generated dictionaries into the tool.

I have redacted discussing more methods in the paper because the paper itself is supposed to be private for different and various specific reason. Those who are being trained under the ‘Web Application Exploitation’ course have the access to these papers and benefit it.

I am considering to upload these public papers in various ways, so that if one site goes down, it could be accessible for download via another. This is a part of the series of papers to come along. Some of them would be definitely public . Others won’t be.